[Freeipa-users] Query IPA for group membership

Fred van Zwieten fvzwieten at vxcompany.com
Fri Oct 5 18:13:48 UTC 2012 

You are completely right :-)

Both IPA server and client are RHEL6.3 x86_64 boxes.

On the OpenVPN server (which is an IPA client), I have 2 OpenVPN instances
running, because different users must end up in different subnet's

OpenVPN instance 1 listens on port 50000
OpenVPN instance 2 listens on port 50001

Users for subnet 1 must connect and authenticate on instance 1 (and get an
IP in subnet 1)
Users for subnet 2 must connect and authenticate on instance 2 (and get an
IP in subnet 2)

Both OpenVPN instances use the login pam module.

In this setup I can not prevent users for subnet 2 to connect and
authenticate successfully on OpenVPN instance 1.

So, I would like to put the users for OpenVPN instance 1 in group OpenVPN1
en users for OpenVPN instance 2 in group OpenVPN2 on IPA.

Next, the OpenVPN daemon must be able to check a user for membership. Is it
is not a member, false is returned, and the OpenVMN authentication fails.

Documentation for the openvpn_auth_pam is
here<https://community.openvpn.net/openvpn/browser/plugin/auth-pam/README?rev=6cfada268122fe54ce6d211d96c744e91d41248c>
.

Fred


On Fri, Oct 5, 2012 at 7:50 PM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 10/05/2012 01:36 PM, Fred van Zwieten wrote:
>
> Hello,
>
>  I have a IPA server running. This server has users who are member to
> various groups. I want to query the IPA server from an IPA client to know
> whether a user is a member to a group.
>
>  I want to do this from the OpenVPN service using the
> openvpn_auth_pam.so. Normally one uses this like this:
>
>  openvpn_auth_pam.so login
>
>  This queries the PAM login (and thus IPA) is the username/password from
> openvpn is valid. the "login" is /etc/pam.d/login. OpenVPN docs say you
> could use other modules instead of login.
>
>  So, I would like to add the next line:
>
>  openvpn_auth_pam.so group <username> "openvpn"
>
>  Where a /etc/pam.d/group file would check whether the user is member of
> the group "openvpn". If not, false is returned and the login attempt (thru
> openvpn) fails.
>
>  Is this possible? If not is there a better way?
>
>  Fred
>
>
>
> Can you step up from the implementation and explain what you want to
> accomplish?
> It seems that you want to use OpenVPN and do some access control checks
> when user connects to OpenVPN. Right?
> If you can describe the flow of operations we might be able guide you to
> the right solution.
>
> Also would be nice to understand what OS OpenVPN is running on.
>
>
>
>
> _______________________________________________
> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121005/dcd8ff8a/attachment.htm>

More information about the Freeipa-users mailing list